RADIUS design flaw announced today
Alan DeKok
aland at deployingradius.com
Tue Jul 9 12:29:07 UTC 2024
The FreeRADIUS notification is at https://www.freeradius.org/security/
It's time to upgrade every switch, router, VPN concentrator, firewall, access point controller, RADIUS server. World-wide.
This is a design flaw in the RADIUS protocol. It affects all vendors of all RADIUS products.
I've been working on this for 5 months, and have written the definitive guide that all vendors are using to fix their equipment. We also have vendor-neutral test tools and upgrade documentation.
This is not just a "patch Tuesday". The new security features are controlled by compatibility flags. Upgrading is a multi-step process on both client and server.
Full details at https://www.inkbridgenetworks.com/blastradius/faq
In short, I was complaining about this issue in 1998. I tried to fix it in RFC5080, in 2007. FreeRADIUS has had fixes in since 3.0.0, in 2007. Since most vendors didn't follow the recommendations of RFC 5080, we're now in a panic mode "OMG, upgrade everything".
I'm doing a free webinar later today at https://alandekok.com/webinar/
Alan DeKok.
More information about the Freeradius-Users
mailing list